Lessons from the First Phases of Continuous Diagnostics and Mitigation Program

Patrick D. Howard, CISSP, CISM, Kratos Technology & Training Solutions, was lead author of this peer-reviewed article.

With the advent of the Continuous Diagnostics and Mitigation Program in August 2013, the Homeland Security Department committed to improving the security of U.S. civilian government information systems by expanding agency-level continuous monitoring and response capabilities.

Since its inception, the goal of this $6 billion initiative has been to improve the cybersecurity posture of federal civilian government agencies by helping them increase visibility of their hardware and software assets and security vulnerabilities to allow them to make faster and more informed risk-based decisions. However, despite the recognized value of CDM and in light of recent, highly publicized attacks on their agencies, to date only a few have implemented CDM requirements.   

On May 15, DHS reported in a briefing to industry that 24 major and roughly 40 small agencies were engaged in implementing CDM Phase 1 (“What is on the network?”) and CDM Phase 2 (“Who is on the network?”) requirements. Current plans are for these agencies to transition to operational status by the end of fiscal 2018, almost five years after CDM Program initiation.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

While key federal civilian agency personnel quickly understood the value of DHS’ CDM Program and readily concurred with its objectives, success in achieving those objectives has been elusive. Any initiative targeting the security of each and every federal civilian agency is, of course, susceptible to implementation challenges that include contracting issues, unique agency-specific complexities, requirements definition complications, and software integration difficulties. However, the focus of this article is how agencies themselves might have been better prepared for implementing CDM.  

Successful CDM Program implementation relies on the active participation of agency executives and IT managers and professionals. Success hinges on effective communication of technical requirements to personnel involved with implementing the CDM solution. This ensures understanding and enhances their ability to comprehend how meeting CDM requirements can increase their agency’s risk posture, as well as making them aware of the complexity of CDM tasks and the tools involved. 

There are three actions that could have been taken prior to the launch of implementation projects that could have led to better understanding and improved participation by agency personnel: first, development of a dashboard solution for demonstration purposes; second, development of a functioning CDM prototype for hands-on familiarization; and last, timelier CDM training. 

• CDM Dashboard Demo:  One of the most important objectives of the CDM Program is to implement dashboards at the agency and the federal government level to allow display of CDM monitoring data for near-real-time visibility to allow agency personnel to prioritize their response according to risk. Further, aggregation of agency dashboard data in a federal-level dashboard will facilitate broader security oversight and reporting by DHS. Fundamentally, the dashboard concept was understood by agency IT operations personnel because of their experience with security tools that generally display monitoring data via proprietary dashboard functionality. However, since the purpose of the agency-level CDM dashboard is to consolidate data feeds from new and existing security tools spanning various, disparate security capabilities and organizational elements, its design requirements were substantially more complex than agency personnel recognized. The ability of agency operational personnel, system owners and security specialists to have hands-on access to the dashboard solution would have greatly improved their ability to see the utility of the solution and understand how it might best be employed in their agencies. Unfortunately, the timetable for development of the DHS-approved dashboard solution did not permit hands-on use prior to initiation of the CDM Phase 1 and Phase 2 rollout.  
• CDM Solution Prototype: Similarly, agency personnel would have greatly benefitted by being able to familiarize themselves with CDM requirements, concepts and capabilities through the hands-on use of an operating CDM solution in a pilot agency. Had the DHS project management plan called for the development and implementation of a CDM Phase 1 prototype in an agency setting, government as well as contractor personnel charged with the CDM solution rollout would have been able to better understand the CDM solution technically and operationally, to discuss implementation implications with pilot agency counterparts, as well as to see for themselves the practical utility of the solution.  
• Agency-Level CDM Training and Familiarization: Training of agency personnel assigned responsibility for managing, implementing and operating the CDM solution was given insufficient priority in implementation planning. Consequently, their lack of understanding hampered agency level implementation planning and performance of actual implementation tasks. Had CDM training been initiated earlier in the project, agency personnel would have been able to participate more effectively in project roll-out and solution operation. This issue has been largely rectified by DHS’ development of excellent live, online training and training materials. Had that level of emphasis existed prior to or along with agency level implementation efforts, there is little doubt the understanding and involvement of agency-level personnel would have greatly assisted in more effective solution implementation.

Fortunately, DHS has responded to these and other implementation challenges by recently restructuring the CDM Program and is about to issue a series of task orders that improve on program implementation. To support its objective of increasing implementation timeliness, DHS should prioritize the engagement of agency personnel through effective and timely training and communication and sharing of lessons learned to avoid implementation difficulties the CDM Program has experienced to date.